lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <#14.4d6b2968.0x5366967fbcab8bcee8b3b3f7f720f62c.51b0ecd7.be8@google.trakken.com>
Date: Thu, 06 Jun 2013 20:11:03 -0000
From: "Google Security" <security@...gle.com>
To: "Pavel Machek" <pavel@....cz>
Cc: bugtraq@...urityfocus.com
Subject: Re: [#1298868584] Copy&paste from web browser considered dangerous

Hi Pavel,

Since Chrome is based on Chromium (an open source project), please file
the report directly in their bug tracker: http://crbug.com

The provides a number of benefits: 
- You get direct access to the same developers that will triage and fix
the issue; and 
- Once it's fixed, the bug will be made public (though if you use the
"Security Bug" template, the bug will be restricted to a small group of
security engineers until this occurs). 

Regards,

The Google Team



Original Message Follows:
------------------------
From: Pavel Machek <pavel@....cz>
Subject: Copy&paste from web browser considered dangerous
Date: Sat, 1 Jun 2013 15:46:00 +0200

> Hi!
> 
> Apparently this is known for years, but... there are many legitimate
> websites that expect you to copy&paste into terminal, but it is very
> easy to paste something you did not want to. Demo is at
> 
> http://thejh.net/misc/website-terminal-copy-paste
> 
> I believe it is a bug in the web browser: if text was invisible on the
> page, it should not go to the buffer. Javascript should not be able
> play tricks with that.
> 
> Or alternatively, if text on screen differs from text going to
> copy-paste buffer, warning with new text should be displayed. 
> 
> (security@...gle cc-ed, at least chromium on debian 6 is affected).
> 									Pavel
> -- 
> (english) http://www.livejournal.com/~pavelmachek
> (cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ